Hello Jeremy, thanks for this very helpful hint!
> Actual debug output from the Exim system. I pointed out how best > to do that on the 2nd (assuming that the Exim system is the > accepting end for the connection). > [ In case it's an outbound connection at issue, a simple way to get > debug is: > exim -d+all -odf fred@??? </dev/null 2>&1 | tee debuglog [...] > ] doing so I was able to catch the GnuTLS failing connection: ====================================================================== 17:46:01 1566 85.215.77.84 in hosts_require_ocsp? no (option unset) 17:46:01 1566 85.215.77.84 in hosts_request_ocsp? yes (matched "*") 17:46:01 1566 initialising GnuTLS as a client on fd 6 17:46:01 1566 GnuTLS global init required 17:46:01 1566 initialising GnuTLS client session 17:46:01 1566 Expanding various TLS configuration options for session credentials 17:46:01 1566 TLS: basic cred init, client 17:46:01 1566 TLS: no client certificate specified; okay 17:46:01 1566 Added 140 certificate authorities 17:46:01 1566 GnuTLS using default session cipher/priority "NORMAL" 17:46:01 1566 Setting D-H prime minimum acceptable bits to 1024 17:46:01 1566 85.215.77.84 in tls_verify_hosts? no (option unset) 17:46:01 1566 85.215.77.84 in tls_try_verify_hosts? yes (matched "*") 17:46:01 1566 85.215.77.84 in tls_verify_cert_hostnames? yes (matched "*") 17:46:01 1566 TLS: server cert verification includes hostname: "mx06.et.lindenberg.one" 17:46:01 1566 TLS: server certificate verification optional 17:46:01 1566 TLS: will request OCSP stapling 17:46:01 1566 85.215.77.84 in tls_resumption_hosts? no (option unset) 17:46:01 1566 about to gnutls_handshake 17:46:01 1566 TLS session fail: (gnutls_handshake): Key usage violation in certificate has been detected. 17:46:01 1566 SMTP(close)>> 17:46:01 1566 cmdlog: '220:EHLO:250-:STARTTLS:220' 17:46:01 1566 85.215.77.84 in hosts_require_tls? yes (matched "*") 17:46:01 1566 set_process_info: 1566 delivering 1sQU5Q-0000PD-2z: just tried mx06.et.lindenberg.one [85.215.77.84] for t...@mx06.et.lindenberg.one: result DEFER and the OpenSSL working connection: ===================================== 17:32:15 1168 SMTP>> STARTTLS 17:32:15 1168 cmd buf flush 10 bytes 17:32:15 1168 read response data: size=24 17:32:15 1168 SMTP<< 220 Ready to start TLS 17:32:15 1168 85.215.77.84 in hosts_require_ocsp? no (option unset) 17:32:15 1168 85.215.77.84 in hosts_request_ocsp? 17:32:15 1168 list element: * 17:32:15 1168 85.215.77.84 in hosts_request_ocsp? yes (matched "*") 17:32:15 1168 setting SSL CTX options: 0000000042004000 17:32:15 1168 Initialized TLS 17:32:15 1168 85.215.77.84 in tls_verify_hosts? no (option unset) 17:32:15 1168 85.215.77.84 in tls_try_verify_hosts? 17:32:15 1168 list element: * 17:32:15 1168 85.215.77.84 in tls_try_verify_hosts? yes (matched "*") 17:32:15 1168 tls_verify_certificates: system 17:32:15 1168 85.215.77.84 in tls_verify_cert_hostnames? 17:32:15 1168 list element: * 17:32:15 1168 85.215.77.84 in tls_verify_cert_hostnames? yes (matched "*") 17:32:15 1168 Cert hostname to check: "mx06.et.lindenberg.one" 17:32:15 1168 85.215.77.84 in tls_resumption_hosts? no (option unset) 17:32:15 1168 Calling SSL_connect 17:32:15 1168 SSL hshake_start: before SSL initialization 17:32:15 1168 SSL SSL_connect,state_chg: before SSL initialization 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS write client hello 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS write client hello 17:32:15 1168 SERVER_HANDSHAKE_TRAFFIC_SECRET ebdcb2de396f0ac9ef391a.. 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS read server hello 17:32:15 1168 SSL SSL_connect,state_chg: TLSv1.3 read encrypted extensions 17:32:15 1168 LOG: MAIN 17:32:15 1168 [85.215.77.84] SSL verify error: depth=0 error=self-signed certificate cert=/C=DE/ST=BW/L=Karlsruhe/O=Lindenberg/OU=Tests/CN=et.lindenberg.one 17:32:15 1168 SSL verify failure overridden (host in tls_try_verify_hosts) 17:32:15 1168 mx06.et.lindenberg.one suitable for cert, per OpenSSL? yes 17:32:15 1168 SSL verify ok: depth=0 SN=/C=DE/ST=BW/L=Karlsruhe/O=Lindenberg/OU=Tests/CN=et.lindenberg.one 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS read server certificate 17:32:15 1168 SSL SSL_connect,state_chg: TLSv1.3 read server certificate verify 17:32:15 1168 EXPORTER_SECRET ebdcb2de396f0ac9ef391ac0e2f69d408fa87164... 17:32:15 1168 SERVER_TRAFFIC_SECRET_0 ebdcb2de396f0ac9ef391ac0e2f69d40... 17:32:15 1168 Received TLS status callback (OCSP stapling): 17:32:15 1168 null 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS read finished 17:32:15 1168 CLIENT_HANDSHAKE_TRAFFIC_SECRET ebdcb2de396f0ac9ef391ac0e2f... 17:32:15 1168 CLIENT_TRAFFIC_SECRET_0 ebdcb2de396f0ac9ef391ac0e2f69d408fa... 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS write finished 17:32:15 1168 SSL hshake_done: SSL negotiation finished successfully 17:32:15 1168 SSL_connect succeeded 17:32:15 1168 Cipher: TLS1.3:TLS_AES_256_GCM_SHA384:256 17:32:15 1168 Have channel bindings cached for possible auth usage 0x55dfd11a8650 0x55dfcf15a680 17:32:15 1168 SMTP>> EHLO myMX.sub.myDomain.top 17:32:15 1168 cmd buf flush 34 bytes 17:32:15 1168 tls_write(0x55dfd11f0218, 34) 17:32:15 1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 34) 17:32:15 1168 outbytes=34 error=0 17:32:15 1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096) 17:32:15 1168 SSL SSL_connect,state_chg: SSL negotiation finished successfully 17:32:15 1168 SSL SSL_connect,state_chg: SSL negotiation finished successfully 17:32:15 1168 SSL SSL_connect,state_chg: SSLv3/TLS read server session ticket 17:32:15 1168 read response data: size=62 17:32:15 1168 SMTP<< 250-mx01.et.lindenberg.one Hello kant.sub.simple-test-bed.de 17:32:15 1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096) 17:32:15 1168 read response data: size=10 17:32:15 1168 250 HELP 17:32:15 1168 not using PIPELINING 17:32:15 1168 not using DSN 17:32:15 1168 85.215.77.84 in hosts_require_auth? no (option unset) 17:32:15 1168 SMTP>> MAIL FROM:<r...@sub.simple-test-bed.de> 17:32:15 1168 cmd buf flush 41 bytes 17:32:15 1168 tls_write(0x55dfd11f0218, 41) 17:32:15 1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 41) 17:32:15 1168 outbytes=41 error=0 17:32:15 1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096) 17:32:15 1168 read response data: size=13 17:32:15 1168 SMTP<< 250 OK MAIL 17:32:15 1168 SMTP>> RCPT TO:<t...@mx06.et.lindenberg.one> 17:32:15 1168 cmd buf flush 39 bytes 17:32:15 1168 tls_write(0x55dfd11f0218, 39) 17:32:15 1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 39) 17:32:15 1168 outbytes=39 error=0 17:32:15 1168 sync_responses expect rcpt for t...@mx06.et.lindenberg.one 17:32:15 1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096) 17:32:15 1168 read response data: size=13 17:32:15 1168 SMTP<< 250 OK RCPT 17:32:15 1168 SMTP>> DATA 17:32:15 1168 cmd buf flush 6 bytes 17:32:15 1168 tls_write(0x55dfd11f0218, 6) 17:32:15 1168 SSL_write(0x55dfd130e380, 0x55dfd11f0218, 6) 17:32:15 1168 outbytes=6 error=0 17:32:15 1168 sync_responses expect data 17:32:16 1168 Calling SSL_read(0x55dfd130e380, 0x55dfd11ef218, 4096) 17:32:16 1168 read response data: size=37 17:32:16 1168 SMTP<< 354 End data with <CR><LF>.<CR><LF> 17:32:16 1168 SMTP>> (writing message) lot of DKIM messages here.... So, the only thing I can see here is, that the remote MX does not offer OCSP stapling, which in case is also not required! Furthermore I see, that with the very same configuration OpenSSL gives a LOT more information, than GNU-TLS. Any ideas, if that can be the cause? regards Wolfgang -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
